Attack Against Wormhole Hacker From Jump Crypto and Oasis.app

Web3 infrastructure company Jump Crypto and decentralized finance (DeFi) platform Oasis.app carried out a counter-hack targeting the Wormhole protocol hacker. The duo managed to retrieve $225 million worth of cryptocurrencies and transfer them to a secure wallet address.

Wormhole was hacked in February 2022 and approximately $321 million worth of Wrapped ETH (wETH) was stolen through a vulnerability in the protocol’s token bridge. Hackers have since moved their stolen coins through various Ethereum-based decentralized applications (dApps), and via Oasis, they recently received a Wrapped Staked ETH (wstETH) vault on January 23 and a Rocket Pool ETH on February 11. (rETH) opened the safe.

The Oasis team confirmed in a blog post on February 24 that they had carried out a counter-hack and stated that they had received orders from the High Court of England and Wales to retrieve certain assets related to the address associated with the Wormhole hack. The team stated that the rollback was initiated through “Oasis Multisig and a court-authorized third party” and was done in collaboration with Jump Crypto.

Looking at the transaction history of both vaults, it is seen that 12 thousand 695 wsETH and 3 thousand 213 rETH were carried by Oasis on February 21 and transferred to wallet addresses under the control of Jump Crypto. The hackers also had nearly $78 million worth of debt in MakerDao’s stablecoin DAI, which has also been redeemed. The Oasis team said:

“We can also confirm that the cryptocurrencies are immediately transferred to a wallet controlled by an authorized third party, as required by the court order. We do not have any control or access to these cryptocurrencies.”

Addressing the negative consequences of Oasis being able to retrieve cryptocurrencies in user vaults, the team emphasized that this is only possible due to a previously unknown vulnerability in the design of admin multisig access. In the article, it was stated that such a vulnerability was detected and reported to them by a white hat hacker earlier this month.

“We point out that this access is provided solely for the purpose of protecting user assets in the event of a possible attack and will enable us to act swiftly to close any vulnerability disclosed to us. We would like to remind you that at no point in the past or now user assets are at risk of being accessed by unauthorized parties.”